Bug#887391: CVE-2017-9274

2018-01-15 Thread Moritz Muehlenhoff
Package: osc Severity: grave Tags: security Please see https://bugzilla.novell.com/show_bug.cgi?id=938556 Cheers, Moritz

Bug#825501: CVE-2016-4434

2018-01-12 Thread Moritz Muehlenhoff
On Thu, Jan 11, 2018 at 02:03:23PM +0200, Faidon Liambotis wrote: > On Fri, May 27, 2016 at 11:58:33AM +0200, Moritz Muehlenhoff wrote: > > please see http://seclists.org/oss-sec/2016/q2/413 for details. > > That link says: > Versions Affected: > Apache Tika 0.10 to 1.1

Bug#885578: RM: micro-proxy -- RoQA; unmaintained, unused, orphaned

2017-12-28 Thread Moritz Muehlenhoff
Package: ftp.debian.org Severity: normal Hi, please remove micro-proxy. It's orphaned for 3.5 years without an adopter, hasn't seen an upload in a decade, it's almost unused in popcon and the version in the archive is from 2002 (even though upstream has a 2014 release). Cheers, Moritz

Bug#885504: Please remove Suggests on zoo

2017-12-27 Thread Moritz Muehlenhoff
Source: engrampa Severity: normal Your package suggests 'zoo', which has been removed from the archive, please adapt your control file. Cheers, Moritz

Bug#885502: Please remove Suggests on zoo

2017-12-27 Thread Moritz Muehlenhoff
Package: mikmod Severity: normal Your package suggests 'zoo', which has been removed from the archive, please adapt your control file. Cheers, Moritz

Bug#885503: Please remove Suggests on zoo

2017-12-27 Thread Moritz Muehlenhoff
Package: file-roller Severity: normal Your package suggests 'zoo', which has been removed from the archive, please adapt your control file. Cheers, Moritz

Bug#885499: Please remove Suggests on zoo

2017-12-27 Thread Moritz Muehlenhoff
Package: avfs Severity: normal Your package suggests 'zoo', which has been removed from the archive, please adapt your control file. Cheers, Moritz

Bug#885500: Please remove Suggests on zoo

2017-12-27 Thread Moritz Muehlenhoff
Package: zipper.app Severity: normal Your package suggests 'zoo', which has been removed from the archive, please adapt your control file. Cheers, Moritz

Bug#885342: RM: zoo -- RoQA; dead upstream, orphaned, open security issues

2017-12-26 Thread Moritz Muehlenhoff
Package: ftp.debian.org Severity: normal Hi, please remove zoo. It's orphaned without a new maintainer for three years now, dead upstream (last release from 1993) and has open security issues (#774453, #774032). There's a couple of Suggests: against the package, I'll file bugs to drop them once

Bug#885340: CVE-2017-17504

2017-12-26 Thread Moritz Muehlenhoff
Package: imagemagick Severity: important Tags: security https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17504: https://github.com/ImageMagick/ImageMagick/issues/872 ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/ce3a586a43a7d13442587eb7f28d129557b6a135 ImageMagick-7:

Bug#885339: CVE-2017-17499

2017-12-26 Thread Moritz Muehlenhoff
Package: imagemagick Version: 8:6.9.7.4+dfsg-16 Severity: important Tags: security https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17499: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3=33078=5fbb164c3830293138917f9b14264ed1 ImageMagick-7:

Bug#885338: CVE-2017-12165

2017-12-26 Thread Moritz Muehlenhoff
Source: undertow Severity: important Tags: security The only source here is a report in Red Hat Bugzilla, so might be worth contacting upstream for additional information: https://bugzilla.redhat.com/show_bug.cgi?id=1490301 Cheers, Moritz

Bug#884852: implement a way to report packages installed from a given repository

2017-12-20 Thread Moritz Muehlenhoff
Arturo Borrero Gonzalez wrote: > Package: apt > Version: 1.6~alpha5 > Severity: wishlist > > I would love to have a clean way to generate a report of packages installed > from > a given repository. Maybe it would be possible to add this information to /var/log/apt/history.log? Something like:

Bug#883923: CVE-2017-10203 / CVE-2017-10277

2017-12-09 Thread Moritz Muehlenhoff
Source: mysql-connector-net Severity: grave Tags: security Hi, the http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html mentions two vulnerabilities in Connector/Net. Cheers, Moritz

Bug#882621: stretch-pu: package python2.7/2.7.13-2+deb9u2

2017-11-24 Thread Moritz Muehlenhoff
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, I'd like to add a fix for a minor security issue in Python 2.7 to the as a followup update to what's already in spu. debdiff is below. This is fixed in unstable in 2.7.13-4.

Bug#868170: libemail-address-perl: Email::Address->parse() is vulnerable to CVE-2015-7686

2017-11-17 Thread Moritz Muehlenhoff
On Fri, Nov 17, 2017 at 09:36:46PM +0100, Pali Rohár wrote: > On Friday 17 November 2017 12:36:54 Moritz Muehlenhoff wrote: > > On Fri, Nov 17, 2017 at 12:03:26PM +0100, Pali Rohár wrote: > > > What > > > about next, do you have some script or any other tool which can

Bug#868170: libemail-address-perl: Email::Address->parse() is vulnerable to CVE-2015-7686

2017-11-17 Thread Moritz Muehlenhoff
On Fri, Nov 17, 2017 at 12:03:26PM +0100, Pali Rohár wrote: > What > about next, do you have some script or any other tool which can create > those wishlist bugs for all packages which depend on > libemail-address-perl package? There's a mass-bug script in 'devscripts", but since there's less

Bug#881929: Incompatible with Firefox >= 57

2017-11-16 Thread Moritz Muehlenhoff
Package: xine-plugin Severity: grave With the update to Firefox (which remove the old plugin interface), the plugin gets disabled. It's still usable with firefox-esr, but only for a limited time frame (until ESR switches to 59 in February) and given that it's dead upstream, let's remove it from

Bug#877442: marked as pending

2017-11-16 Thread Moritz Muehlenhoff
On Thu, Nov 16, 2017 at 09:07:58AM +0100, Dylan Aïssi wrote: > Hi Moritz, > > 2017-11-14 21:33 GMT+01:00 Moritz Muehlenhoff <j...@debian.org>: > > > > There's still the possibility to fix this via a stable point update > > [1], so I was wondering whether

Bug#877442: marked as pending

2017-11-14 Thread Moritz Muehlenhoff
On Wed, Nov 01, 2017 at 10:28:22PM +, Dylan Aïssi wrote: > > --- > commit 25174e187c6211a7e05c44c0fb3eb17556484e61 > Author: Dylan Aïssi > Date: Wed Nov 1 22:47:00 2017 +0100 > > Add an upstream patch to fix CVE-2017-14731 (Closes: #877442) > > diff --git

Bug#880116: CVE-2017-15953 / CVE-2017-15954 / CVE-2017-15955

2017-10-29 Thread Moritz Muehlenhoff
Package: bchunk Severity: grave Tags: security Please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15955 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15954 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15953 Cheers, Moritz

Bug#878920: IncludeOptional should deal gracefully with a missing directory in the specified path

2017-10-26 Thread Moritz Muehlenhoff
forwarded 878920 https://bz.apache.org/bugzilla/show_bug.cgi?id=57585 thanks Hi, On Tue, Oct 17, 2017 at 07:27:54PM +0200, Moritz Muehlenhoff wrote: > Creating /usr/share/modsecurity-crs/ fixes it, but that seems like a > misfeature/bug? > Shouldn't it also fail gracefully in the absen

Bug#879732: CVE-2017-15874 / CVE-2017-15873

2017-10-25 Thread Moritz Muehlenhoff
On Wed, Oct 25, 2017 at 07:27:42PM +0200, Christoph Biedl wrote: > Tags: upstream confirmed > > Moritz Muehlenhoff wrote... > > > Hi, > > please see: > > Thanks for the heads-up, we'll try to get this fixed as soon as > possible. For the moment, I'm som

Bug#879732: CVE-2017-15874 / CVE-2017-15873

2017-10-25 Thread Moritz Muehlenhoff
Package: busybox Version: 1:1.27.2-1 Severity: important Tags: security Hi, please see: CVE-2017-15873 The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation.

Bug#879708: CVE-2017-12613 CVE-2017-12618

2017-10-24 Thread Moritz Muehlenhoff
On Tue, Oct 24, 2017 at 10:28:02PM +0200, Moritz Muehlenhoff wrote: > Source: apr-util > Severity: important > Tags: security > > I'm sure you're aware, but filing for completeness in the BTS anyway: > http://mail-archives.apache.org/mod_mbox/a

Bug#879708: CVE-2017-12613 CVE-2017-12618

2017-10-24 Thread Moritz Muehlenhoff
Source: apr-util Severity: important Tags: security I'm sure you're aware, but filing for completeness in the BTS anyway: http://mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E Cheers, Moritz

Bug#879501: CVE-2017-15670

2017-10-22 Thread Moritz Muehlenhoff
Package: libc6 Version: 2.24-17 Severity: important Tags: security Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670: The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c,

Bug#879500: CVE-2017-15671

2017-10-22 Thread Moritz Muehlenhoff
Package: libc6 Version: 2.24-17 Severity: important Tags: security Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671: The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when

Bug#878920: IncludeOptional should deal gracefully with a missing directory in the specified path

2017-10-17 Thread Moritz Muehlenhoff
Source: apache2 Version: 2.4.25-3+deb9u3 Severity: normal Hi, libapache2-mod-security2 sets a Recommends: on modsecurity-crs and ships a /etc/apache2/mods-enabled/security2.conf with the following directive: - # Include OWASP ModSecurity CRS rules if installed IncludeOptional

Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

2017-10-17 Thread Moritz Muehlenhoff
On Tue, Oct 17, 2017 at 04:30:16PM +0200, Emmanuel Bourg wrote: > I ran the Oracle JavaFX demos with the new version and it worked fine > (except the media player but this isn't a regression, something is > probably misconfigured on my machine). > > Should I proceed with the upload, or do you

Bug#863888: issue in backport package

2017-10-16 Thread Moritz Muehlenhoff
On Sat, Jul 22, 2017 at 11:37:50AM +0200, Matthias Klose wrote: > Control: severity -1 normal > > this is apparently an issue in the backports archive. Please contact the > uploader for this package for a fix. It's caused by the "Breaks: ca-certificates-java (<< 20160321~)", jessie-backports

Bug#828475: openssh: Please migrate to openssl1.1 in Buster

2017-10-16 Thread Moritz Muehlenhoff
On Sun, Oct 15, 2017 at 10:06:35PM +0100, Colin Watson wrote: > > > Does it help that OpenSSH only uses libcrypto, not libssh? If somebody > > What? You've entirely misunderstood me. Yeah, but that's caused by you typoing libssh/libssl :-) Cheers, Moritz

Bug#878138: muttprint: still vulnerable to symlink attack (race condition)

2017-10-10 Thread Moritz Muehlenhoff
On Tue, Oct 10, 2017 at 03:42:40PM +0200, Vincent Lefevre wrote: > On 2017-10-10 14:27:24 +0200, Moritz Muehlenhoff wrote: > > On Tue, Oct 10, 2017 at 02:16:28PM +0200, Vincent Lefevre wrote: > > > On 2017-10-10 13:58:16 +0200, Moritz Muehlenhoff wrote: > > > >

Bug#878138: muttprint: still vulnerable to symlink attack (race condition)

2017-10-10 Thread Moritz Muehlenhoff
On Tue, Oct 10, 2017 at 02:16:28PM +0200, Vincent Lefevre wrote: > On 2017-10-10 13:58:16 +0200, Moritz Muehlenhoff wrote: > > This is neutralised by kernel hardening starting with stretch, see release > > notes: > > https://www.debian.org/releases/jessie/amd64/release-notes

Bug#878138: muttprint: still vulnerable to symlink attack (race condition)

2017-10-10 Thread Moritz Muehlenhoff
On Tue, Oct 10, 2017 at 01:17:54PM +0200, Vincent Lefevre wrote: > Package: muttprint > Version: 0.73-8 > Severity: grave > Tags: security upstream > Justification: user security hole > > The muttprint Perl script contains: > > my $logf = "/tmp/muttprint.log"; > > if (-e

Bug#877903: CVE-2017-15037

2017-10-06 Thread Moritz Muehlenhoff
Source: kfreebsd-10 Severity: important Tags: security Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15037 Cheers, Moritz

Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

2017-10-06 Thread Moritz Muehlenhoff
On Fri, Oct 06, 2017 at 04:27:02PM +0200, Emmanuel Bourg wrote: > Hi, > > Quick update on openjfx: the package is back on track, as of version > 8u141-b14-3 I eventually managed to get it to build on both amd64 and > i386 in unstable for the first time since January. If the tests go well > I'll

Bug#877660: CVE-2017-15010

2017-10-03 Thread Moritz Muehlenhoff
Package: node-tough-cookie Severity: grave Tags: security Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15010 Cheers, Moritz

Bug#852093: hesiod: CVE-2016-10152: Use of hard-coded DNS domain if configuration file cannot be read

2017-10-02 Thread Moritz Muehlenhoff
On Sat, Jan 21, 2017 at 05:58:34PM +0100, Salvatore Bonaccorso wrote: > Source: hesiod > Version: 3.2.1-3 > Severity: normal > Tags: upstream patch security > Forwarded: https://github.com/achernya/hesiod/pull/10 > > Hi, > > the following vulnerability was published for hesiod. > >

Bug#859136: CVE-2016-1566: XSS vulnerability in file browser

2017-10-02 Thread Moritz Muehlenhoff
On Thu, Mar 30, 2017 at 02:45:21PM -0400, Antoine Beaupre wrote: > Package: guacamole-client > X-Debbugs-CC: t...@security.debian.org > secure-testing-t...@lists.alioth.debian.org > Severity: normal > Tags: security > Version: 0.9.9+dfsg-1 > > Hi, > > the following vulnerability was published

Bug#877543: CVE-2017-14970

2017-10-02 Thread Moritz Muehlenhoff
Source: openvswitch Severity: important Tags: security Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14970 Cheers, Moritz

Bug#871321: tenshi: CVE-2017-11746: should create its PID file before dropping privileges

2017-10-02 Thread Moritz Muehlenhoff
On Mon, Aug 07, 2017 at 05:54:07PM +0200, Salvatore Bonaccorso wrote: > Source: tenshi > Version: 0.13-2 > Severity: normal > Tags: upstream patch security > Forwarded: https://github.com/inversepath/tenshi/issues/6 > > Hi, > > the following vulnerability was published for tenshi. > >

Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

2017-10-02 Thread Moritz Muehlenhoff
On Sat, Aug 05, 2017 at 09:58:53PM +0200, Salvatore Bonaccorso wrote: > Source: openjfx > Version: 8u131-b11-1 > Severity: grave > Tags: upstream security > > Hi, > > the following vulnerabilities were published for openjfx. > > CVE-2017-10086[0] and CVE-2017-10114[1]. > > Unfortunately it's

Bug#877512: Systemd support for slapd

2017-10-02 Thread Moritz Muehlenhoff
Package: slapd Severity: wishlist The best way to address the root cause for CVE-2017-14159 (which I agree is minor and doesn't warrant a Debian bug on it's own, it's filed upstream as http://www.openldap.org/its/index.cgi?findid=8703 for reference ) would be to provide a systemd unit for slapd

Bug#860566: fixed in batik 1.9-1

2017-10-01 Thread Moritz Muehlenhoff
On Mon, Sep 04, 2017 at 06:19:28AM +, Christopher Hoskin wrote: > Changes: > batik (1.9-1) unstable; urgency=medium [..] >* New upstream (1.9) >+ Fix "CVE-2017-5662: information disclosure vulnerability" Upstream > claim > BATIK-1139 is fixed in 1.9 (Closes: #860566)

Bug#877379: CVE-2017-14685 / CVE-2017-14686 / CVE-2017-14687

2017-10-01 Thread Moritz Muehlenhoff
Package: mupdf Version: 1.11+ds1-1 Severity: grave Tags: security Hi, please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14685 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14686 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14687 which contains further

Bug#877363: CVE-2017-14102

2017-09-30 Thread Moritz Muehlenhoff
Source: mimedefang Severity: important Tags: security This was assigned CVE-2017-14102: http://lists.roaringpenguin.com/pipermail/mimedefang/2017-August/038077.html Fixed in 2.81: http://lists.roaringpenguin.com/pipermail/mimedefang/2017-August/038085.html Cheers, Moritz

Bug#869404: resiprocate: CVE-2017-11521: Adding too many media connections may lead to memory exhaustion

2017-09-30 Thread Moritz Muehlenhoff
On Sun, Jul 23, 2017 at 07:55:20AM +0200, Salvatore Bonaccorso wrote: > Source: resiprocate > Version: 1:1.9.7-5 > Severity: grave > Tags: upstream security > Forwarded: https://github.com/resiprocate/resiprocate/pull/88 > > Hi, > > the following vulnerability was published for resiprocate. > >

Bug#877361: CVE-2017-14609

2017-09-30 Thread Moritz Muehlenhoff
Source: kannel Severity: important Tags: security Please see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14609 https://redmine.kannel.org/issues/771 Cheers, Moritz

Bug#864535: ceph: CVE-2017-7519: libradosstriper processes arbitrary printf placeholders in user input

2017-09-30 Thread Moritz Muehlenhoff
On Sat, Jun 10, 2017 at 08:49:33AM +0200, Salvatore Bonaccorso wrote: > Source: ceph > Version: 10.2.5-7.2 > Severity: important > Tags: security patch upstream > Forwarded: http://tracker.ceph.com/issues/20240 > > Hi, > > the following vulnerability was published for ceph. > >

Bug#877334: CVE-2017-14610

2017-09-30 Thread Moritz Muehlenhoff
Source: bareos Severity: important Tags: security Please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14610 Upstream bug is: https://bugs.bareos.org/view.php?id=847 Cheers, Moritz

Bug#871617: CVE-2017-3224

2017-09-30 Thread Moritz Muehlenhoff
On Thu, Aug 10, 2017 at 01:10:46AM +0200, Moritz Muehlenhoff wrote: > Source: quagga > Severity: important > Tags: security > > Please see http://www.kb.cert.org/vuls/id/793496 What's the status, is that fixed upstream? > > Cheers, > Moritz > >

Bug#861694: rxvt: CVE-2017-7483

2017-09-30 Thread Moritz Muehlenhoff
On Tue, May 02, 2017 at 10:08:08PM +0200, Salvatore Bonaccorso wrote: > Source: rxvt > Version: 1:2.7.10-6 > Severity: important > Tags: security upstream patch > > Hi, > > the following vulnerability was published for rxvt. > > CVE-2017-7483[0]: > | Rxvt 2.7.10 is vulnerable to a denial of

Bug#877332: RM: p3scan -- RoQA; orphaned, dead upstream

2017-09-30 Thread Moritz Muehlenhoff
Package: ftp.debian.org Severity: normal Hi, please remove p3scan, it's orphaned since 2014 without an adopter and dead upstream for a long time (last release from 2005). Cheers, Moritz

Bug#876315: CVE-2017-14339

2017-09-20 Thread Moritz Muehlenhoff
Source: yadifa Severity: grave Tags: security Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14339 Cheers, Moritz

Bug#876135: RM: moodle -- RoQA; outdated, open security issues

2017-09-18 Thread Moritz Muehlenhoff
Package: ftp.debian.org Severity: normal Please remove moodle. It was blocked out of stable for a long time, #807317 hasn't seen any followup on the call for help and the version which is now in unstable is no longer supported with security updates (only 3.x is). Cheers, Moritz

Bug#875536: FTBFS: FAILED: /root/hhvm/hhvm-3.21.0+dfsg/hphp/test/quick/chdir_posix.php

2017-09-12 Thread Moritz Muehlenhoff
On Tue, Sep 12, 2017 at 08:59:14AM +0900, Nobuhiro Iwamatsu wrote: > Package: hhvm_3.21.0+dfsg-1 > Version: 3.21.0+dfsg-1 > Severity: important > Tags: buster sid > Justification: FTBFS on amd64 > > Dear Maintainer, > > I am a lz4 package maintainer. > I plan to update this to 1.8 and it has

Bug#875415: predictable /tmp file vulnerability while building libreoffice

2017-09-11 Thread Moritz Muehlenhoff
On Mon, Sep 11, 2017 at 10:55:39AM +0200, Helmut Grohne wrote: > Source: libreoffice > Version: 1:5.4.0-1 > Severity: important > Tags: security upstream > > Looking at a sample build log > (https://buildd.debian.org/status/fetch.php?pkg=libreoffice=m68k=1%3A5.4.1-1=1504466495=0) > one can see: >

Bug#873034: CVE-2017-12962 CVE-2017-12963 CVE-2017-12964

2017-08-23 Thread Moritz Muehlenhoff
Source: libsass Severity: important Tags: security Please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12962 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12963 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12964 Cheers, Moritz

Bug#872374: CVE-2017-12876

2017-08-16 Thread Moritz Muehlenhoff
Package: imagemagick Severity: grave Tags: security This was assigned CVE-2017-12876: https://github.com/ImageMagick/ImageMagick/issues/663 https://github.com/ImageMagick/ImageMagick/commit/1cc6f0ccc92c20c7cab6c4a7335daf29c91f0d8e Cheers, Moritz

Bug#872373: CVE-2017-12877

2017-08-16 Thread Moritz Muehlenhoff
Package: imagemagick Version: 8:6.9.7.4+dfsg-16 Severity: grave Tags: security This was assigned CVE-2017-12877: https://github.com/ImageMagick/ImageMagick/issues/662 https://github.com/ImageMagick/ImageMagick/commit/98dda239ec398dd56453460849b4c9057fc424e5 Cheers, Moritz

Bug#868480: Please build-depend on ocamlbuild

2017-08-16 Thread Moritz Muehlenhoff
Hi, On Fri, Jul 28, 2017 at 03:10:45PM +0200, Stéphane Glondu wrote: > retitle 868480 hhvm FTBFS with OCaml 4.05.0: missing ocamlbuild and other > issues > tags 868480 + patch > thanks > > On Sat, 15 Jul 2017 23:46:06 +0200 I wrote: > > hhvm uses ocamlbuild. To ease a future transition to ocaml

Bug#871617: CVE-2017-3224

2017-08-09 Thread Moritz Muehlenhoff
Source: quagga Severity: important Tags: security Please see http://www.kb.cert.org/vuls/id/793496 Cheers, Moritz

Bug#871616: CVE-2017-11661 CVE-2017-11662 CVE-2017-11663 CVE-2017-11664

2017-08-09 Thread Moritz Muehlenhoff
Source: wildmidi Severity: important Tags: security Hi, please see http://seclists.org/fulldisclosure/2017/Aug/12 Patch is here: https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd Wheezy and jessie are not affected, but stretch. This doesn't warrant a DSA,

Bug#871568: Debian OVAL Files Improvement

2017-08-09 Thread Moritz Muehlenhoff
On Wed, Aug 09, 2017 at 02:16:54PM +0300, Noam Rathaus wrote: > Package: security.debian.org > > Currently the Debian OVAL lack (critical) information from the files, > specifically the severity setting of the patch. > > I wanted to ask if it would be possible for the XML files that the script >

Bug#870959: pearpc: should pearpc be removed from unstable?

2017-08-08 Thread Moritz Muehlenhoff
reassign -1 ftp.debian.org retitle -1 RM: pearpc -- RoQA; missed both jessie and stretch thanks Maintainer seems inactive, reassigning for removal. Cheers, Moritz On Sun, Aug 06, 2017 at 09:50:12AM -0400, Lucas Nussbaum wrote: > Source: pearpc > User: debian...@lists.debian.org >

Bug#871309: Support rootless X with SDDM for buster

2017-08-07 Thread Moritz Muehlenhoff
Source: sddm Severity: wishlist Hi, starting with stretch xorg-server has been fixed to allow to run X as an unprivileged user. This currently works fine for sessions initiated by GDM3 and for anyone starting X11 through startx. SDDM however still initiates the session with X11 running as root.

Bug#871256: RM: ekg -- RoQA; orphaned for a long time, incompatible with OpenSSL 1.1, unused

2017-08-07 Thread Moritz Muehlenhoff
Package: ftp.debian.org Severity: normal Hi, please remove ekg. It's orphaned without an adopter for over three years and is incompatible with OpenSSL 1.1 Cheers, Moritz

Bug#870903: CVE-2017-12583

2017-08-06 Thread Moritz Muehlenhoff
Package: dokuwiki Severity: important Tags: security Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12583 Cheers, Moritz

Bug#870900: CVE-2017-12481 CVE-2017-12482

2017-08-06 Thread Moritz Muehlenhoff
Package: ledger Version: 3.1.2~pre1+g3a00e1c+dfsg1-2+b1 Severity: normal Tags: security CVE-2017-12481 was assigned to http://bugs.ledger-cli.org/show_bug.cgi?id=1222 and CVE-2017-12482 was assigned to http://bugs.ledger-cli.org/show_bug.cgi?id=1224 CVE-2017-12482 is probably entirely mitigated

Bug#870725: CVE-2017-11721

2017-08-04 Thread Moritz Muehlenhoff
Source: ioquake3 Severity: grave Tags: security Please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11721 Cheers, Moritz

Bug#870608: CVE-2017-11548

2017-08-03 Thread Moritz Muehlenhoff
Source: libao Severity: important Tags: security This was assigned CVE-2017-11548: http://seclists.org/fulldisclosure/2017/Jul/84 Cheers, Moritz

Bug#868818: RM: fedmsg -- RoQA; unmaintained, RC-buggy

2017-08-02 Thread Moritz Muehlenhoff
On Tue, Aug 01, 2017 at 08:24:35PM -0400, Chris Lamb wrote: > Hi, > > > RM: fedmsg -- RoQA; unmaintained, RC-buggy > > Hm, that would break these build-depends: > > datanommer.commands > datanommer.consumer > datanommer.models > fedmsg-meta-debian > fedmsg-meta-fedora-infrastructure

Bug#867986: CVE-2016-10396

2017-07-27 Thread Moritz Muehlenhoff
On Thu, Jul 27, 2017 at 10:35:36AM -0700, Noah Meyerhans wrote: > On Mon, Jul 10, 2017 at 11:18:35PM +0200, Moritz Muehlenhoff wrote: > > > > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396 > > Hi Moritz. I assume your intent was not to issue

Bug#869774: thunderbird 52 needs enigmail 1.9.8 or later [was: Re: Bug#869774: Corrections - propably wrong cause]

2017-07-27 Thread Moritz Muehlenhoff
On Thu, Jul 27, 2017 at 09:59:46AM -0400, Daniel Kahn Gillmor wrote: > Control: affects 869774 + thunderbird > Control: retitle 869774 thunderbird 52 needs enigmail 1.9.8.1 or later > Control: forwarded 869774 https://sourceforge.net/p/enigmail/bugs/687/ > > Hi there-- > > On Thu 2017-07-27

Bug#869880: CVE-2017-2834 CVE-2017-2835 CVE-2017-2836 CVE-2017-2837 CVE-2017-2838 CVE-2017-2839

2017-07-27 Thread Moritz Muehlenhoff
Source: freerdp Severity: grave Tags: security Hi, please see: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0341 https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0340 https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0339

Bug#869789: thunderbird: Latest Thunderbird upgrade breaks enigmail (no more OpenPGP encryption possible)

2017-07-26 Thread Moritz Muehlenhoff
On Wed, Jul 26, 2017 at 07:05:17PM +0200, Carsten Schoenert wrote: > You could also use the Enigmail addon from Mozilla temporarily. > > https://addons.mozilla.org/de/thunderbird/addon/enigmail/ Or rather permanently. We cannot keep ~ 100 extensions for Firefox and Thunderbird in sync with an

Bug#867718: CVE-2017-11108

2017-07-26 Thread Moritz Muehlenhoff
On Wed, Jul 26, 2017 at 12:46:11PM +0200, Romain Francoise wrote: > On Sun, Jul 23, 2017 at 03:05:40PM +0200, Salvatore Bonaccorso wrote: > > This issue has been fixed upstream in 4.9.1, according to > > http://www.tcpdump.org/tcpdump-changes.txt > > Yes, thanks, I will upload to unstable

Bug#869260: CVE-2017-11368

2017-07-25 Thread Moritz Muehlenhoff
On Tue, Jul 25, 2017 at 08:04:09AM -0400, Sam Hartman wrote: > > I can absolutely prepare a stable point update request for stretch. > Is there still going to be a last point release to jessie? There will be point releases for jessie at least until June 2018, i.e. one year after the stretch

Bug#869633: CVE-2015-5191

2017-07-25 Thread Moritz Muehlenhoff
On Tue, Jul 25, 2017 at 12:35:08PM +0200, Bernd Zeimetz wrote: > Hi, > > do you want to issue a DSA for that CVE? I don't think the impact is > high enough for that and it could be fixed with the next point release. I agree, this can be fixed via a point release. I'm updating the Debian security

Bug#869633: CVE-2015-5191

2017-07-25 Thread Moritz Muehlenhoff
Source: open-vm-tools Severity: grave Tags: security Please see: http://www.openwall.com/lists/oss-security/2017/07/24/3 Cheers, Moritz

Bug#869261: [Pkg-freeipa-devel] Bug#869261: CVE-2017-7537

2017-07-24 Thread Moritz Muehlenhoff
On Mon, Jul 24, 2017 at 12:32:28PM +0300, Timo Aaltonen wrote: > On 22.07.2017 09:44, Moritz Muehlenhoff wrote: > > Source: dogtag-pki > > Severity: grave > > Tags: security > > > > Please see: > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-

Bug#869261: CVE-2017-7537

2017-07-22 Thread Moritz Muehlenhoff
Source: dogtag-pki Severity: grave Tags: security Please see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7537 Cheers, Moritz

Bug#869260: CVE-2017-11368

2017-07-22 Thread Moritz Muehlenhoff
Source: krb5 Severity: grave Tags: security Hi, please see: https://github.com/krb5/krb5/pull/678/commits/a860385dd8fbd239fdb31b347e07f4e6b2fbdcc2 Cheers, Moritz

Bug#869242: CVE-2017-11468

2017-07-21 Thread Moritz Muehlenhoff
Source: docker-registry Severity: important Tags: security Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11468 Cheers, Moritz

Bug#868818: RM: fedmsg -- RoQA; unmaintained, RC-buggy

2017-07-18 Thread Moritz Muehlenhoff
Package: ftp.debian.org Severity: normal Hi, please remove fedmsg from the archive. It's unmaintained (last upload two years ago), totally outdated (#842156) and RC-buggy for a long time. Cheers, Moritz

Bug#868578: CVE-2017-11335 CVE-2017-11336 CVE-2017-11337 CVE-2017-11338 CVE-2017-11339 CVE-2017-11340

2017-07-16 Thread Moritz Muehlenhoff
Package: exiv2 Version: 0.25-3.1 Severity: important Tags: security Please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11336 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11337

Bug#868577: CVE-2017-11341 CVE-2017-11342

2017-07-16 Thread Moritz Muehlenhoff
Source: libsass Severity: important Tags: security Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11341 Cheers, Moritz

Bug#868459: stretch-pu: package libquicktime/2:1.2.4-10+deb9u1

2017-07-15 Thread Moritz Muehlenhoff
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, some minor security fixes for libquicktime, identical to what's already in unstable and also tested with reverse deps on stretch. If it's too late for 9.1, 9.2 is also just

Bug#868185: CVE-2016-4383

2017-07-12 Thread Moritz Muehlenhoff
Source: glance Severity: important Tags: security Hi, please see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4383 Cheers, Moritz

Bug#868184: CVE-2017-11141 CVE-2017-11166 CVE-2017-11170 CVE-2017-11188

2017-07-12 Thread Moritz Muehlenhoff
Source: imagemagick Severity: important Tags: security Please see: CVE-2017-11188: https://github.com/ImageMagick/ImageMagick/issues/509 CVE-2017-11170: https://github.com/ImageMagick/ImageMagick/issues/472 CVE-2017-11166: https://github.com/ImageMagick/ImageMagick/issues/471 CVE-2017-11141:

Bug#868162: July 11th Security release

2017-07-12 Thread Moritz Muehlenhoff
Source: nodejs Severity: grave Tags: security Hi, please see https://nodejs.org/en/blog/release/v4.8.4/ and https://nodejs.org/en/blog/release/v6.11.1/ The hash see vulnerabiliy doesn't have a CVE ID yet and the c-ares one is being addressed via the sec:c-ares package. Cheers, Moritz

Bug#868083: CVE-2017-7506

2017-07-11 Thread Moritz Muehlenhoff
Source: spice Severity: grave Tags: security Please see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7506 Cheers, Moritz

Bug#868080: CVE-2017-11163

2017-07-11 Thread Moritz Muehlenhoff
Package: cacti Severity: important Tags: security This was assigned CVE-2017-11163: https://github.com/Cacti/cacti/issues/847 Cheers, Moritz

Bug#868079: Security issues marked as no-dsa are shown as "ignored"

2017-07-11 Thread Moritz Muehlenhoff
Package: tracker.debian.org Severity: normal The PTS shows no-dsa security issues as "Ignored security issue", but that's wrong: They are not ignored per se, it only means they don't warrant an immediate DSA. They can stable through a point release or they're lined up, they can be piggybacked on

Bug#867988: CVE-2017-11111 CVE-2017-10686

2017-07-10 Thread Moritz Muehlenhoff
Package: nasm Severity: grave Tags: security Please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10686 Cheers, Moritz

Bug#867986: CVE-2016-10396

2017-07-10 Thread Moritz Muehlenhoff
Package: racoon Severity: grave Tags: security Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396 Cheers, Moritz

Bug#867725: CVE-2017-9869 CVE-2017-9870 CVE-2017-9871 CVE-2017-9872

2017-07-08 Thread Moritz Muehlenhoff
Source: lame Severity: grave Tags: security Hi, please see: CVE-2017-9869: https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-ii_step_one-layer2-c/ CVE-2017-9870: https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-iii_i_stereo-layer3-c/ CVE-2017-9871:

Bug#867724: Multiple security issues

2017-07-08 Thread Moritz Muehlenhoff
Source: faad2 Severity: important Tags: security Multiple vulnerabilities in faad2, please see: http://seclists.org/fulldisclosure/2017/Jun/32 Cheers, Moritz

Bug#807317: again: future of Moodle in Debian: ship with Debian 10 Buster in 2019?

2017-07-08 Thread Moritz Muehlenhoff
On Fri, Mar 10, 2017 at 11:50:45AM +0100, Joost van Baal-Ilić wrote: > Hi, > > Is any DD interested in working on shipping Moodle with upcoming upcoming > Debian 10 Buster release? Did anyone step up? If not, should we proceed with removal at this point? Cheers, Moritz

  1   2   3   4   5   6   7   8   9   10   >